A security management system/product may manage user authentication (i.e., authenticating user identity) and may evaluate security policies based on attributes of a security policy to authorize users. An attribute may relate to an identity, a resource, an action, a rule, a response, or other information related to enforcing a security policy. For example, the security-based management system may verify an identity of a user based on an identity attribute of the security policy. The security-based management system may verify that an authenticated user may perform a particular action and/or may access particular resources (e.g., servers, devices, files, applications, domains, etc.) based on the action and the resource attribute of the security policy. As security management products are being used to protect an increasing number of applications, the number of policies for an application typically runs into hundreds, thousands, and sometimes millions of policies. The management of these policies becomes a cumbersome task and the performance of a policy evaluation engine used to evaluate the policies suffers as a result of the need to match and evaluate a large number of policies.
Different security policies may emphasize certain attributes over other attributes. For example, a resource-based security policy may be more concerned with identifying processes that may be performed using the resource rather than identifying users that may access a resource (such as when all users may access the resource). In this example, the resource attribute is more important than the identity attribute with respect to the resource-based security policy. Evaluating an identity attribute for this resource-based security policy would unnecessarily waste policy evaluation time and/or processing. On the other hand, an identity-based security policy may be more concerned with authenticating a user and determining roles of the user rather than determining what processes may be performed at particular resources. In this example, the identity attribute is more important for the identity-based policy and evaluating the identity-based security policy with a resource attribute would waste policy evaluation time and/or processing. Yet some conventional systems evaluate all policies irrespective of which attributes may be more important.
Other conventional systems may generate a policy tree to traverse the security policies based on an attribute in an attempt to reduce policy evaluation times. However, these systems fail to prioritize the generated policy tree. The result is that unnecessary processing continues to occur. For example, conventional systems may generate policy trees based on a single attribute such as a resource attribute, irrespective of whether the resource attribute is important for policy evaluation. However, this is not helpful when the security policies should be evaluated based on another attribute such as the identity attribute. In these instances, conventional systems parse through all the security policies in the policy tree until security policies for which the identity attribute is to be evaluated is found. This becomes time consuming, leading to increased policy evaluation times and delayed user request processing. Thus, conventional systems fail to efficiently match relevant security policies with attributes, resulting in unnecessary policy evaluations.
Thus, what is needed is an efficient way to identify or otherwise prioritize relevant security policies based on attributes for which policy evaluation should occur.
These and other drawbacks exist.